From the position of the bean provider ("application component provider"), and forgetting about instance-based access control, you should (in general case):1) extract the list of all use cases, where you beans are going to be used;2) generalize the list of correspondent actors to the set of roles;3) use these roles for setting permissions of beans/methods in ejb-jar.xml deployment descriptor;4) optionally, you can use this roles inside bean methods code for security or other goals.

From the position of ASP ("application assembler" and "application deployer") you should (in general case):1) configure application server security infrastructure according your requirements;2) map roles from the ejb-jar.xml to real roles in the security domain of the application server, and put this mapping information into the jboss.xml deployment descriptor;3) compose components to application;4) deploy and test the application;5) ... etc.

Now, I have a question. It is how to set id and password authenticating identity.Above code(no 5) uses Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS to set id and password but as result, such approach seems invalid. Otherwise I may use LoginContext to authenticate indentity but It also seems to not support function for remote server.

Ability to get access to the JNDI tree does not mean, that your client application has pass the JAAS login (and Subject and SecurityAssociation are set correctly). The exception you receive (most probably) means that your client application does not pass the JAAS login to the security domain.